Sunday snippets
High water mark

Fixing Sony MP3 files

SONY -- I like Sony products but I don't like the way Sony creates MP3 files with Sonic Stage its on-board MP3 application. If you intend to convert your music to MP3 using Sonic Stage the application that Sony bundled with its Network Walkman, you need to clean up the Sony MP3 files. Helpfully, Ronan Waide (aka waider via Cory Doctorow) has the solution that should allow those with who purchase Sony kit to roll their own code and clean up the Sony MP3 files. From Ronan Waide comes code that deserves to be printed by 2600:

I've spent some time over the past fortnight unravelling Sony's obfuscated MP3 file format as used on the Network Walkman device I have, and probably others in the same product range. I've already got command-line tools to load, list and unload the device under Linux, and I've made a first pass at a plugin for XMMS to allow you to play files straight off the device. Note, this isn't ATRAC--it's obfuscated MP3.

  • The file starts with a 4-byte signature, "WMMP"
  • Next is a 4-byte longword giving the total file-size in bytes. This includes the file header, i.e. it's exactly what you'd see displayed in a directory listing of the file.
  • Next is the duration of the track in milliseconds, again in a 4-byte longword.
  • The third 4-byte longword gives the number of frames in the file. If you're trying to write a file to the device using your own code, I recommend ripping bits out of XMMS or mp3info to get this number, as I had difficulty locating a library that would calculate it without actually decoding the entire file.
  • There are 16 bytes of magic: there's the 0x08 0x9f 0x9e 0xff sequence that occurs in the PBLIST file, followed by 0x01, and padded out to 16 bytes with 0x00. I've no idea what any of this is but it seems unchanging.
  • The rest of the file is the obfuscated MP3 data, with no ID3 frames. Strip those out before you encode or your file will not play in the device.

Cory Doctorow says "this is why DRM is doomed: some guy spends a couple weeks' spare time picking apart a file-format for the intellectual challenge, and then your system is irrevocably, totally, permanently b0rked. Sucks to be a DRM engineer: how do they sleep nights, anyway?

The rest of the code uses an Obfuscation Mechanism which is a trivial “substitution cypher” based on the track number. From Waide:

Start off with a 256-byte array (one for each possible byte value) and fill it with array[index] = 256 - index. Then, start working your way through powers of 2 from 1 up to the biggest power of 2 less than or equal to the track number. For each power N, if the track number has bit N set, go through your array in blocks of 2N, and swap the first N bytes of the block with the second N bytes. Here’s the C code I’ve written to do this:

void mple_build_conv_array( guint16 trackno, 
guint8 *conv )
  guint16 bit;
  guint16 i;

  for ( i = 0; i < 256; i++ ) {
    conv[i] = 255 - i;

  bit = 1;
  while( bit <= trackno ) {
    if ( trackno & bit ) {
      guint16 j;
      guint16 k;
      for ( j = 0; j < 256; j+= bit * 2 ) {
        for ( k = 0; k < bit; k++ ) {
          guint8 temp;
          temp = conv[j + k];
          conv[j + k] = conv[j + k + bit];
          conv[j + k + bit] = temp;
    bit <<= 1;

Note that this array works for conversion in either direction.

Ronan Waide -- "geekery update" celebrates his birthday today.
Cory Doctorow -- " HOWTO de-obfuscate proprietary Sony Network Walkman files"